FAQ - Lykke Offchain Settlement
1. What is offchain settlement?
Offchain settlement is a secure method of settling a Bitcoin transaction that involves the Bitcoin Blockchain as little as possible. By this method, two parties register a mutually agreed initial state for a bidirectional payment channel (as represented by a multisignature address) on the Blockchain and then gradually modify the agreement off the Blockchain until both parties agree to continue.
Commitment transactions are messaged in the peer-to-peer channels established between the client and the exchange without hitting the Blockchain. However, at any time, either party can safely broadcast the final balance of traded coins on the Blockchain.
Payment channels are based on 2-of-2 multisig wallets, where the collateral is stored by the counterparties to provide a dispute resolution mechanism between the market participant and the exchange. The final settlement is performed at the moment the channel is closed by broadcasting the most recent commitment transaction.
With payment channels, Lykke users can securely complete trades off the Blockchain. This substantially reduces settlement times and fees..
2. What are the benefits of offchain settlement?
There are various reasons why offchain settlement is desirable:
- Settlement time is lower. Offchain settlement takes seconds, while Blockchain settlement may take from 10 minutes to more than an hour, depending on the state of the mempool.
- The Bitcoin Blockchain’s capacity limit is about 7 transactions per second. Offchain negotiations have no such limitation.
- Settlement costs are lower.
- Offchain settlement enables the implementation of limit orders based on offchain collateral transactions.
3. Why is offchain settlement secure?
Offchain settlement maintains payment channel security by initially freezing both parties’ funds on the Blockchain and providing commitments to each other off the Blockchain. When the parties agree to the terms of the new trade, commitments are updated off the Blockchain. At the same time, the commitment transaction enables either party to reclaim frozen funds simply by broadcasting the transaction on the Blockchain.
In addition to the usual security, which requires keys to update the payment channel in a multisig environment, there is another layer of security for both parties to consider: that the payment channel be closed in its most recent state, not in an expired one. This could be achieved by monitoring the Blockchain for the broadcast commitment. Lykke does this, and a monitor code that could be used by clients independently of Lykke is being developed. More info can be found in Question 27.
4. Who originated the idea of offchain settlement?
We adapted ideas for maintaining bidirectional channels initially proposed by the Lightning Network project (https://lightning.network/), with some key differences:
- Since the Segregated Witness improvement has not yet been adopted by the Bitcoin Blockchain, whenever trust is required because of protocol design, it is assumed that Lykke can be trusted to open channels.
- We added a new feature to the channel setup phase for accepting new deposits to the channel, whenever required.
- We added a new feature to the channel setup phase for accepting withdrawals from the channel without closing the channel, whenever required.
5. How is offchain implemented on the Lykke Exchange?
Broadly speaking, offchain implementation consists of the following parts:
During this part, the channel setup transaction is created and broadcast, and the first pair of commitments are exchanged.
Because the Segregated Witness improvement has not yet been adopted by the Bitcoin network, and also because we cannot have transaction IDs without the signatures of both parties, Lykke is assumed to have trust when the channel is created.
In addition to what is described in the Lightning Network article, which creates a channel by accepting deposits from two parties, we have some additional operations for setting up channels, as described in the sections that follow.
Channel setup with deposit
In this operation, another deposit, this time directly to the multisig address, is used as another input to set up a channel. This kind of setup can be used to upgrade an existing channel, when a new deposit is made to the multisig address, probably after some sort of confirmation.
Channel setup with withdrawal
This operation is actually a mix of a cashout from the channel’s multisig output, which effectively closes the channel, and the opening of a new channel (using the previous step) for the remaining balance.
Channel state or balance update
When needed to transfer funds from the client to Lykke, or from Lykke to the client, the channel state should be updated, and a new set of commitments should be created.
In this part, the new commitments are exchanged, and the old commitments are revoked, by exchanging the key used to prevent the counterparty from accessing the broadcast funds of the commitment. The key enables either party to take all the funds from the broadcast revoked commitment on the Blockchain for at least 24 hours.
Closing the channel
Either the client or Lykke can close the channel by broadcasting the latest commitment. Whichever party broadcasts the commitment must wait 24 hours to reclaim collateral funds.
Since the previous states of a channel can be broadcast to the Blockchain, which closes the channel in an invalid state, the Blockchain should be monitored, and the designated arbitrator should take action in the event of this sort of malfeasance. The initiation of this event can originate from either side for whatever reason.
A service that will enable clients to monitor the Blockchain independently of Lykke is being finalized.
For more information on the workings of offchain implementation, you are free to examine the source code; see Question 27.
6. What is on our to-do list regarding the further development of offchain settlement?
We have many plans and ideas for the future:
- Displaying offchain transactions in the Lykke Blockchain Explorer
- Creating a tool for broadcasting commitment transactions from the client side
- Launching a service for the independent monitoring of channel commitments
- Implementing a trustless deposit feature for trading wallets
- Running a third-party liquidity provider as an open-source service
Lykke Wallet related questions
7. There’s a discrepancy between the trading wallet balance in my Lykke Wallet and the multisignature address balance on the blockchain. Where does this discrepancy come from?
Remember, when you trade from your multisignature address, the new balance is not immediately settled on the Blockchain. Hence, you get discrepancies. The balance on the Blockchain is equal to your balance plus extra coins deposited by Lykke.
8. Why does Lykke keep extra coins in my multisignature address?
Offchain settlement assumes that the Lykke Exchange might deposit some extra coins into your multisignature address. These extra coins enable you to settle off the Blockchain.
If you buy the coins, there’s no need to settle the transaction on the Blockchain, since these coins have already been deposited in your multisignature address.
9. What does my multisignature balance on the Blockchain really show?
Your multisignature balance on the Blockchain shows the total amount of coins that belong to you as well as to Lykke. Using the Blockchain, you can make sure that your balance is not less than the balance shown on the Blockchain.
10. How many coins belong to me and how many coins belong to Lykke in my multisignature address?
There’s no way to tell simply by looking at the balance on the Blockchain. Offchain commitment transactions reflect the true corresponding balances.
However, in the future, the Lykke Blockchain Explorer will provide accurate offchain balances for your multisignature address. (See the answer to Question 6 above.)
11. Where can I get my latest offchain commitment transaction?
Your latest commitment transaction is stored in your Lykke Wallet app. (In the future, it will be available for download; see the answer to Question 6 above.) Transaction notifications are also sent by email after each trade.
Offchain transactions will also be publicly available in the Lykke Blockchain Explorer.
12. What can I do with my offchain commitment transaction?
Your offchain commitment transaction is actually a Lykke Wallet refund. You can broadcast the commitment transaction to cash out coins from your multisignature address without Lykke within 24 hours.
13. Should I wait for 24 hours to make a withdrawal?
No. A withdrawal that is signed by both you and Lykke is instant. The 24-hour delay is related only to withdrawals with commitment transactions that do not have the second of the two signatures. (This second signature is Lykke’s in this case.)
14. Where will my Bitcoins be transferred if the commitment transaction is broadcast on the Blockchain?
Your Bitcoins will be transferred to the refund address that you specified in the settings of your Lykke Wallet at the time of channel setup. This process will take 24 hours.
Offchain settlement use cases
15. What happens if I want to buy Bitcoins, but only Bitcoins belonging to me appear in my multisignature address? Is onchain settlement assumed if there are no Lykke bitcoins in my channel address?
Lykke will transfer Bitcoins into the multisignature address on the Blockchain when this is required for trades. Technically speaking, this will work as the opening of a new payment channel, including new Bitcoins.
16. What happens if I sell Bitcoins?
Lykke might either keep the Bitcoins in your multisignature address for further offchain settlement or cash out these extra Bitcoins back to our hot wallet.
17. Where can offchain transactions be observed?
The Lykke Blockchain Explorer will provide offchain balances for multisignature addresses. (See the answer to Question 6 above.)
18. Will the broadcasting of the commitment transaction lead to the immediate transfer of my Bitcoins to the refund address?
No. The output of the related commitment transaction has a relative time lock of 24 hours. This means that you must wait 24 hours before you get the refund. An instant withdrawal requires two signatures: yours and Lykke’s. Commitment transactions should be used in case of emergency.
19. Why is a time lock needed?
The time lock enables counterparties to inspect broadcast transactions and take proper action in case of a dispute.
20. What happens with old commitment transactions?
All old commitment transactions must be deleted. Only the most recent commitment transaction can be used to for a channel closure on the blockchain. You can revoke an old commitment transaction by providing us with its temporary key, which enables us to spend all the outputs of a commitment transaction.
21. What happens if I broadcast a revoked commitment transaction?
Lykke is constantly monitoring the Blockchain. We have 24 hours to detect the revoked commitment transaction broadcast on the Blockchain. With the temporary key for each revoked transaction, we will broadcast a penalty transaction, which spends the inappropriately refunded coins. We will then start an investigation.
22. A commitment transaction is publicly available. Does this mean that someone can broadcast a revoked commitment transaction?
No. Any published commitment transaction has only one signature on it. Another signature is required to broadcast the commitment to transfer coins from one multisignature address to the other.
23. Do I provide commitment transactions for Lykke?
Yes. You provide the commitments for Lykke in the same way that Lykke provides them for you. Lykke might want to use a commitment for getting back the extra coins that we deposited into your multisignature address.
24. Assume that Lykke is compromised. What if the revoked transaction provided to Lykke is broadcast? Does this mean that I will lose my money?
You have at least 24 hours to detect the revoked transaction on the Blockchain and broadcast the penalty transaction.
25. How can I monitor the Blockchain?
Blockchain monitoring can be safely outsourced. We assume that there will be multiple independent third-party monitoring services available for you.
Some more technical questions
26. How does Lykke handle the Bitcoin malleability problem?
Until the Segregated Witness improvement becomes a reality, instead of monitoring transaction IDs, Lykke monitors addresses and outputs.
But since the Bitcoin Blockchain does not yet have Segregated Witness, whenever trust is required because of protocol design, it is assumed that Lykke can be trusted to open channels.
27. Where can I inspect the offchain source code?
The code by which we implement offchain settlement can be found in multiple places in our Lykke GitHub repositories, including:
https://github.com/LykkeCity/bitcoinservice (Search for offchain)